The Open Source Technology Improvement Fund is proud to share the results of our security audit of conda-forge. conda-forge is a community-driven open source repository of conda package manager recipes. With the help of 7ASecurity and the Sovereign Tech Agency, this project has invested in its longevity and security health by hardening its resilience and resolving the reported vulnerabilities.
Audit Process:
The audit of conda-forge took place in March and April of 2025, undertaken by an audit team of 6 from 7ASecurity. Performing a whitebox pentest on the Mac, Windows, and Linux distributions as well as the core code infrastructure, the audit also consisted of a lightweight threat modelling exercise and supply chain analysis. The combined 4 work packages resulted in 13 findings reported to the conda-forge maintainers, as well as recommendations to the team for future security work and development.
Audit Results:
- 13 Findings with Security Impact
- 7 Vulnerabilities
- 1 Critical
- 2 High
- 3 Medium
- 1 Low
- 6 Hardening Recommendations
- 1 Medium
- 3 Low
- 2 Info
- 7 Vulnerabilities
- Custom Threat Model
- 5 Attack Scenarios
- Illustration of Codebase
- Recommendations for hardening architecture
- Supply Chain Security Analysis
- SLSA analysis
- Hardening Recommendations
This was conda-forge’s first pentest. The maintainers were responsive and active partners to the audit team, and once reported all 13 findings were resolved with verified fixes confirmed by 7ASecurity. In the audit report, it is mentioned that the project practices and exhibits many healthy security processes including thorough, updated documentation and effective incident response. If you use infrastructure components of conda-forge such as conda-smithy or conda-build, update to the latest releases in order to take advantage of the work performed by the auditors and the maintainers.
Thank you to the individuals and groups that made this engagement possible:
- conda-forge community and maintainers, especially: Jaime Rodríguez-Guerra, Matthew R. Becker, Chris Burr, Cheng H. Lee, Marius van Niekerk, Jannis Leidel, and Axel Obermeier
- 7ASecurity: Abraham Aranguren, Daniel Ortiz, Dariusz Jastrzębski, Dheeraj Joshi, Miroslav Štampar, and Szymon Grzybowski
- Sovereign Tech Agency
You can read the Audit Report HERE
You can read 7ASecurity’s Blog HERE
You can read conda-forge’s Blog HERE
OSTIF is celebrating our 10 year anniversary! Join us for a meetup about our work, lessons learned, and where we see the future of open source security going by following our meetup calendar: https://lu.ma/ostif-meetups
Everyone around the world depends on open source software. If you’re interested in financially supporting this critical work, contact [email protected].